Researchers Win $100,000 for New Spear-Phishing Detection Method

Facebook has awarded this year's Internet Defense Prize worth $100,000 to a team of researchers from the University of California, Berkeley, who came up with a new method of detecting spear-phishing attacks in closely monitored enterprise networks.

The five-man research team has focused on detecting spear-phishing attacks alone, and not spam or other types of email-based threats.

Winning team created DAS

They did this by creating a system — called DAS (Directed Anomaly Scoring) — that detects uncommon patterns in emails communications.

They trained DAS by having it analyze 370 million emails from one single large enterprise with thousands of employees, sent between March 2013 and January 2017.

Researchers configured DAS to use a series of factors for evaluating newly received emails. These included a sender domain reputation score and sender reputation score, but also analyzed SMTP, NIDS, and LDAP logs, looking at logins from new IPs, total logins per employee, inactivity periods, and others.

By looking at this factors, DAS was able to detect spoofed addresses, spoofed sender names, but also lateral attacks from the compromised accounts of fellow co-workers.

DAS detected 17 out of 19 spear-phishing emails

"Out of 19 spearphishing attacks, our detector failed to detect 2 attacks," the research team said.

"Our detector [also] achieved an average false positive rate of 0.004%," researchers added, pointing out that this is almost 200 times better than previous research.

Based on their sample data, the company for which they trained the DAS system received 263,086 emails per day. This means incident response teams had only to inspect around 10.5 emails per day if DAS would have been deployed on their network, freeing employees for other tasks.

Low false positive detection rate is DAS' primary achievement

Facebook, who forked over the cash for the award, cited the low false positive rate as one of two reasons it decided to select the Berkley DAS detector as this year's winner.

The other reason was the impact of spear-phishing attacks, who often are the root cause of today's major cyber-incidents, such as the DNC hack, the OPM hack, and others. Below is Facebook's full rationale for selecting Berkley's DAS as the winner.

First, in recent history, successful spearphishing attacks have led to a number of prominent information leaks. Every time the community improves the detection or prevention of compromise from a technical standpoint, the human factor becomes an even stronger focal point of adversaries. Helping protect people from social engineering attacks becomes even more important. This research can help reduce the potential of such compromises happening in the future. Secondly, the authors acknowledge and account for the cost of false positives in their detection methodology. This is significant because it factors into the overhead cost and response time for incident response teams.

The Berkley crew presented their findings at the USENIX security conference that took place this week in Vancouver, Canada. The research paper — titled "Detecting Credential Spearphishing in Enterprise Settings" — is available here, here, and here. A video of the team's presentation at the USENIX conference is available below.

Honorable mentions

Facebook also awarded honorable mentions to two other research projects, also presented at USENIX.

Last year's winner of the Internet Defense Prize $100,000 prize was a research project titled "Post-quantum Key Exchange—A New Hope" that focused on improving post-quantum protection in TLS. This project is already embedded in Chrome and there are plans to support it in the Tor Browser as well.

Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at campuscodi@xmpp.is. For other contact methods, please visit Catalin's author page.

Comments

There can be a downside to automated spear-phishing detection, one common to other automated screening schemes: user false confidence and over dependence (and that attackers learn to exploit weaknesses in any algorithmic based approach).

Only missed 2 of 19, and low false-positives rate; so why bother training? Well, there are those two; and it only takes one.

Would have been better if they showed how many of those 19 were spotted by someone who knows to, and how to, spot spear-phishing and other social engineering ploys.

There are scenarios where this could be used to improve training, rather than a substitute; but like SPAM or other malware filters, it will likely become a rationale to not bother - or to shift the blame when a SP attack succeeds.